Is there a way to get an X509Certificate from X509CRLEntry

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Is there a way to get an X509Certificate from X509CRLEntry

Prasad Jeewantha
Hi,

I have the following Set of X509CRLEntry objects.

Set<X509CRLEntry> revokedSet = (Set<X509CRLEntry>) x509CRL.getRevokedCertificates();


I need to create a revoked "X509Certificate" object from the
revokedSet. Is there a way to do this? Any help appreciated.
Thanks,

Jeewantha.
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way to get an X509Certificate from X509CRLEntry

martijn.list
On 07/15/2013 01:40 PM, Jeewantha Dharmaparakrama wrote:

> Hi,
>
> I have the following Set of X509CRLEntry objects.
>
> Set<X509CRLEntry> revokedSet = (Set<X509CRLEntry>)
> x509CRL.getRevokedCertificates();
>
>
> I need to create a revoked "X509Certificate" object from the
> revokedSet. Is there a way to do this? Any help appreciated.
> Thanks,

This is not possible. The certificate is not part of the CRL. Only a
reference (in most cases only the serial number) to the certificate is
part of the CRL.

Kind regards,

Martijn Brinkers


--
DJIGZO email encryption

Reply | Threaded
Open this post in threaded view
|

Re: Is there a way to get an X509Certificate from X509CRLEntry

Gurmeen Bindra
In reply to this post by Prasad Jeewantha
On 15/07/13 12:40, Jeewantha Dharmaparakrama wrote:

> Hi,
>
> I have the following Set of X509CRLEntry objects.
>
> Set<X509CRLEntry> revokedSet = (Set<X509CRLEntry>)
> x509CRL.getRevokedCertificates();
>
>
> I need to create a revoked "X509Certificate" object from the
> revokedSet. Is there a way to do this? Any help appreciated.

It only gives a list serial numbers of revoked certificates.
Serial numbers can then be used to get to the certificates as they are
supposed to be unique.

> Thanks,
>
> Jeewantha.
>


Reply | Threaded
Open this post in threaded view
|

Re: Is there a way to get an X509Certificate from X509CRLEntry

Prasad Jeewantha



On Mon, Jul 15, 2013 at 5:44 PM, Gurmeen Bindra <[hidden email]> wrote:
On 15/07/13 12:40, Jeewantha Dharmaparakrama wrote:
Hi,

I have the following Set of X509CRLEntry objects.

Set<X509CRLEntry> revokedSet = (Set<X509CRLEntry>)
x509CRL.getRevokedCertificates();


I need to create a revoked "X509Certificate" object from the
revokedSet. Is there a way to do this? Any help appreciated.

It only gives a list serial numbers of revoked certificates.
Serial numbers can then be used to get to the certificates as they are supposed to be unique.
How do I get the certificate as an X509Certificate object from the serial number? Is there a way to do that? What I want is to get a revoked X509Certificate to test a feature I developed to check Certificate Revocation Status. I can get a non revoked Certificate from an existing https endpoint but I don't know how to get a revoked certificate. Please advice.
Thanks.

Thanks,

Jeewantha.



Reply | Threaded
Open this post in threaded view
|

Re: Is there a way to get an X509Certificate from X509CRLEntry

Matti Aarnio
In reply to this post by Prasad Jeewantha
On 07/15/2013 02:40 PM, Jeewantha Dharmaparakrama wrote:
Hi,

I have the following Set of X509CRLEntry objects.

Set<X509CRLEntry> revokedSet = (Set<X509CRLEntry>) x509CRL.getRevokedCertificates();


I need to create a revoked "X509Certificate" object from the
revokedSet. Is there a way to do this? Any help appreciated.
Thanks,

Jeewantha.

Maybe.  Do you have access to LDAP directory containing those certificates?
Then you could pick SerialNumber from the CRL entry, and with it (and some other data you must get from elsewhere, like LDAP BaseDN) query from the LDAP directory for that certificate.

If such directory is not available, then the answer is flat "no".


The design principle behind CRL is that it will contain only minimal data needed for unique match to certificates. The file header has Issuer information, which matches against issuer of certificates, and then at that issuer the serial numbers are unique. and it lists only serial numbers being revoked.

Originally serial numbers came from database sequence numbers, but soon CAs realized that they do not want to let out any kind of clue about how many customers they really have. These days the SerialNumber is either some sort of hash of the certificate data, or pure random value.  Any kind of value works, as long as it is unique at that CA.

The "CA does not want to leak information" motivated creation of OCSP - you can use that protocol to ask "is this certificate OK", but you get no data about how many other revocation entries exist.

Matti


smime.p7s (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way to get an X509Certificate from X509CRLEntry

Arshad Noor
In reply to this post by Prasad Jeewantha
If you are doing client-certificate authenticated based SSL/TLS, then
you already have the certificate as part of the SSL/TLS session
establishment.

If it is to verify digital signatures on documents/objects, the client
certificate must be in the signature blob.

In both cases, in order to read the CRL, you must have already had the
client-certificate, so what else are you looking for?

Arshad Noor
StrongAuth, Inc.

On 07/15/2013 05:33 AM, Jeewantha Dharmaparakrama wrote:

>
>
>
> On Mon, Jul 15, 2013 at 5:44 PM, Gurmeen Bindra
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     On 15/07/13 12:40, Jeewantha Dharmaparakrama wrote:
>
>         Hi,
>
>         I have the following Set of X509CRLEntry objects.
>
>         Set<X509CRLEntry> revokedSet = (Set<X509CRLEntry>)
>         x509CRL.__getRevokedCertificates();
>
>
>         I need to create a revoked "X509Certificate" object from the
>         revokedSet. Is there a way to do this? Any help appreciated.
>
>
>     It only gives a list serial numbers of revoked certificates.
>     Serial numbers can then be used to get to the certificates as they
>     are supposed to be unique.
>
> How do I get the certificate as an X509Certificate object from the
> serial number? Is there a way to do that? What I want is to get a
> revoked X509Certificate to test a feature I developed to check
> Certificate Revocation Status. I can get a non revoked Certificate from
> an existing https endpoint but I don't know how to get a revoked
> certificate. Please advice.
> Thanks.
>
>
>         Thanks,
>
>         Jeewantha.
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Is there a way to get an X509Certificate from X509CRLEntry

Prasad Jeewantha
Thanks for the responses.
What I want is to have an X509Certificate object of a revoked certificate to test if revocation verification works at SSL Handshake. I made a feature for Apache Syanpse esb to verify the certificates when making an SSL connection. The feature works for certificates which are not revoked, but there is no way that I can test it for revoked certificates. When I connect to www.facebook.com though synapse, the HTTPS connection is made since facebooks certificate is not revoked.  But how do I check if the HTTPS connection is NOT created for endpoints with revoked certificates. I want to write a unit test to verify the feature actually works.

I tried a workaround for this but was not successful.
What I did was, I made an X509Certificate object from facebook.com's certificate (facebookCertificate). Then I got the CRL from facebook.com's issuer (Verisign). From the X509CRL object, I got the serialNumber of the first X509CRLEntry of the CRL.

        BigInteger revokedSerialNumber;
        Set<X509CRLEntry> revokedSet = (Set<X509CRLEntry>) x509CRL.getRevokedCertificates();
        Iterator iterator = revokedSet.iterator();
        if(iterator.hasNext()){
          
revokedSerialNumber = ((X509CRLEntry)iterator.next()).getSerialNumber()
        }

Next, I created a new X509Certificate with the above serialNumber.

            KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "BC");
            generator.initialize(1024, new SecureRandom());
            KeyPair pair = generator.generateKeyPair();

            X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();

            certGen.setSerialNumber(revokedSerialNumber);
            certGen.setIssuerDN(new X500Principal("CN=Revoked Certificate"));
            certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
            certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
            certGen.setSubjectDN(new X500Principal("CN=Revoked Certificate"));
            certGen.setPublicKey(pair.getPublic());
            certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");

            certGen.copyAndAddExtension(new DERObjectIdentifier(X509Extensions.CRLDistributionPoints.getId()), false, facebookCertificate);
            X509Certificate revokedCertificate = certGen.generateX509Certificate(pair.getPrivate(), "BC");

So now I have an X509Certificate with a serialNumber which is in the Certificate Revocation List.
Now I called

x509CRL.isRevoked(revokedCertificate)

But unfortunately this returns false. According to this [1], the logic in isRevoked() method only checks if the serial number is in the crl. I wonder why it still returns false. Is there any other way to solve my problem? Please advice,

[1] http://grepcode.com/file/repository.springsource.com/org.bouncycastle/com.springsource.org.bouncycastle.jce/1.39.0/org/bouncycastle/jce/provider/X509CRLObject.java#X509CRLObject.isRevoked%28java.security.cert.Certificate%29

Thanks,
Jeewantha


On Mon, Jul 15, 2013 at 10:58 PM, Arshad Noor <[hidden email]> wrote:
If you are doing client-certificate authenticated based SSL/TLS, then
you already have the certificate as part of the SSL/TLS session
establishment.

If it is to verify digital signatures on documents/objects, the client
certificate must be in the signature blob.

In both cases, in order to read the CRL, you must have already had the
client-certificate, so what else are you looking for?

Arshad Noor
StrongAuth, Inc.


On 07/15/2013 05:33 AM, Jeewantha Dharmaparakrama wrote:



On Mon, Jul 15, 2013 at 5:44 PM, Gurmeen Bindra
<[hidden email] <mailto:[hidden email]>> wrote:

    On 15/07/13 12:40, Jeewantha Dharmaparakrama wrote:

        Hi,

        I have the following Set of X509CRLEntry objects.

        Set<X509CRLEntry> revokedSet = (Set<X509CRLEntry>)
        x509CRL.__getRevokedCertificates();



        I need to create a revoked "X509Certificate" object from the
        revokedSet. Is there a way to do this? Any help appreciated.


    It only gives a list serial numbers of revoked certificates.
    Serial numbers can then be used to get to the certificates as they
    are supposed to be unique.

How do I get the certificate as an X509Certificate object from the
serial number? Is there a way to do that? What I want is to get a
revoked X509Certificate to test a feature I developed to check
Certificate Revocation Status. I can get a non revoked Certificate from
an existing https endpoint but I don't know how to get a revoked
certificate. Please advice.
Thanks.


        Thanks,

        Jeewantha.





Reply | Threaded
Open this post in threaded view
|

Re: Is there a way to get an X509Certificate from X509CRLEntry

Matti Aarnio
On 07/15/2013 11:30 PM, Jeewantha Dharmaparakrama wrote:
Thanks for the responses.
What I want is to have an X509Certificate object of a revoked certificate to test if revocation verification works at SSL Handshake. I made a feature for Apache Syanpse esb to verify the certificates when making an SSL connection. The feature works for certificates which are not revoked, but there is no way that I can test it for revoked certificates. When I connect to www.facebook.com though synapse, the HTTPS connection is made since facebooks certificate is not revoked.  But how do I check if the HTTPS connection is NOT created for endpoints with revoked certificates. I want to write a unit test to verify the feature actually works.

Hmm..  I do this kind of tests in my own test lab with my open OpenSSL based primitive CA, which
lets me to create the certificates for servers and clients as I need, plus it creates the CRL data for me.

I have both server and client certificates that are valid according to this test CRL, and also revoked ones.
Depending on what I want to test, I change the key+cert at server/client.
(I have both server keys/certs running at different ports, and both client keys/certs also being callable from the test harness at will, thus I can test all combinations.)


(story about hacking)
..............
So now I have an X509Certificate with a serialNumber which is in the Certificate Revocation List.
Now I called

x509CRL.isRevoked(revokedCertificate)

But unfortunately this returns false. According to this [1], the logic in isRevoked() method only checks if the serial number is in the crl. I wonder why it still returns false. Is there any other way to solve my problem? Please advice,

Because you omitted checking that the certificate and the CRL file share same trust-anchor.
Your fake certificate is not signed by correct CA -> revocation does not happen by the verisign CRL data.

Instead of trying to fake real system certificates, build your own CA issuing your certs and CRLs.
Much easier that way.

Had you been able to do the faking, whole PKIX system would be worthless.

Thanks,
Jeewantha


BR, Matti


smime.p7s (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way to get an X509Certificate from X509CRLEntry

Arshad Noor
In reply to this post by Prasad Jeewantha
Jeewantha,

You can create your own certificates and CRLs with a little effort spent
learning how to use OpenSSL or installing EJBCA.  But, if your objective
is to understand these things at a more fundamental level and to create
tools that use these artifacts, invest your time in learning one or both
of the above tools; it will be well worth your time.

Arshad Noor
StrongAuth, Inc.

On 07/15/2013 01:30 PM, Jeewantha Dharmaparakrama wrote:

> Thanks for the responses.
> What I want is to have an X509Certificate object of a revoked
> certificate to test if revocation verification works at SSL Handshake. I
> made a feature for Apache Syanpse esb to verify the certificates when
> making an SSL connection. The feature works for certificates which are
> not revoked, but there is no way that I can test it for revoked
> certificates. When I connect to www.facebook.com
> <http://www.facebook.com> though synapse, the HTTPS connection is made
> since facebooks certificate is not revoked.  But how do I check if the
> HTTPS connection is NOT created for endpoints with revoked certificates.
> I want to write a unit test to verify the feature actually works.
>
> I tried a workaround for this but was not successful.
> What I did was, I made an X509Certificate object from facebook.com
> <http://facebook.com>'s certificate (facebookCertificate). Then I got
> the CRL from facebook.com <http://facebook.com>'s issuer (Verisign).
>  From the X509CRL object, I got the serialNumber of the first
> X509CRLEntry of the CRL.
>
> BigInteger revokedSerialNumber;
>          Set<X509CRLEntry> revokedSet = (Set<X509CRLEntry>)
> x509CRL.getRevokedCertificates();
>          Iterator iterator = revokedSet.iterator();
>          if(iterator.hasNext()){
> revokedSerialNumber = ((X509CRLEntry)iterator.next()).getSerialNumber()
>          }
>
> Next, I created a new X509Certificate with the above serialNumber.
>
>              KeyPairGenerator generator =
> KeyPairGenerator.getInstance("RSA", "BC");
>              generator.initialize(1024, new SecureRandom());
>              KeyPair pair = generator.generateKeyPair();
>
>              X509V3CertificateGenerator certGen = new
> X509V3CertificateGenerator();
>
>              certGen.setSerialNumber(revokedSerialNumber);
>              certGen.setIssuerDN(new X500Principal("CN=Revoked
> Certificate"));
>              certGen.setNotBefore(new Date(System.currentTimeMillis() -
> 50000));
>              certGen.setNotAfter(new Date(System.currentTimeMillis() +
> 50000));
>              certGen.setSubjectDN(new X500Principal("CN=Revoked
> Certificate"));
>              certGen.setPublicKey(pair.getPublic());
>              certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
>
>              certGen.copyAndAddExtension(new
> DERObjectIdentifier(X509Extensions.CRLDistributionPoints.getId()),
> false, facebookCertificate);
>              X509Certificate revokedCertificate =
> certGen.generateX509Certificate(pair.getPrivate(), "BC");
>
> So now I have an X509Certificate with a serialNumber which is in the
> Certificate Revocation List.
> Now I called
>
> x509CRL.isRevoked(revokedCertificate)
>
> But unfortunately this returns false. According to this [1], the logic
> in isRevoked() method only checks if the serial number is in the crl. I
> wonder why it still returns false. Is there any other way to solve my
> problem? Please advice,
>
> [1]
> http://grepcode.com/file/repository.springsource.com/org.bouncycastle/com.springsource.org.bouncycastle.jce/1.39.0/org/bouncycastle/jce/provider/X509CRLObject.java#X509CRLObject.isRevoked%28java.security.cert.Certificate%29
>
> Thanks,
> Jeewantha
>
>
> On Mon, Jul 15, 2013 at 10:58 PM, Arshad Noor
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     If you are doing client-certificate authenticated based SSL/TLS, then
>     you already have the certificate as part of the SSL/TLS session
>     establishment.
>
>     If it is to verify digital signatures on documents/objects, the client
>     certificate must be in the signature blob.
>
>     In both cases, in order to read the CRL, you must have already had the
>     client-certificate, so what else are you looking for?
>
>     Arshad Noor
>     StrongAuth, Inc.
>
>
>     On 07/15/2013 05:33 AM, Jeewantha Dharmaparakrama wrote:
>
>
>
>
>         On Mon, Jul 15, 2013 at 5:44 PM, Gurmeen Bindra
>         <[hidden email] <mailto:[hidden email]>
>         <mailto:gurmeen.bindra@isode.__com
>         <mailto:[hidden email]>>> wrote:
>
>              On 15/07/13 12:40, Jeewantha Dharmaparakrama wrote:
>
>                  Hi,
>
>                  I have the following Set of X509CRLEntry objects.
>
>                  Set<X509CRLEntry> revokedSet = (Set<X509CRLEntry>)
>                  x509CRL.____getRevokedCertificates();
>
>
>
>                  I need to create a revoked "X509Certificate" object
>         from the
>                  revokedSet. Is there a way to do this? Any help
>         appreciated.
>
>
>              It only gives a list serial numbers of revoked certificates.
>              Serial numbers can then be used to get to the certificates
>         as they
>              are supposed to be unique.
>
>         How do I get the certificate as an X509Certificate object from the
>         serial number? Is there a way to do that? What I want is to get a
>         revoked X509Certificate to test a feature I developed to check
>         Certificate Revocation Status. I can get a non revoked
>         Certificate from
>         an existing https endpoint but I don't know how to get a revoked
>         certificate. Please advice.
>         Thanks.
>
>
>                  Thanks,
>
>                  Jeewantha.
>
>
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Is there a way to get an X509Certificate from X509CRLEntry

Prasad Jeewantha
Thanks all for the advices. Apparently creating my own CA would be the answer. Thanks again :)
Jeewantha.


On Tue, Jul 16, 2013 at 8:36 AM, Arshad Noor <[hidden email]> wrote:
Jeewantha,

You can create your own certificates and CRLs with a little effort spent
learning how to use OpenSSL or installing EJBCA.  But, if your objective
is to understand these things at a more fundamental level and to create
tools that use these artifacts, invest your time in learning one or both
of the above tools; it will be well worth your time.

Arshad Noor
StrongAuth, Inc.

On 07/15/2013 01:30 PM, Jeewantha Dharmaparakrama wrote:
Thanks for the responses.
What I want is to have an X509Certificate object of a revoked
certificate to test if revocation verification works at SSL Handshake. I
made a feature for Apache Syanpse esb to verify the certificates when
making an SSL connection. The feature works for certificates which are
not revoked, but there is no way that I can test it for revoked
certificates. When I connect to www.facebook.com
<http://www.facebook.com> though synapse, the HTTPS connection is made

since facebooks certificate is not revoked.  But how do I check if the
HTTPS connection is NOT created for endpoints with revoked certificates.
I want to write a unit test to verify the feature actually works.

I tried a workaround for this but was not successful.
What I did was, I made an X509Certificate object from facebook.com
<http://facebook.com>'s certificate (facebookCertificate). Then I got
the CRL from facebook.com <http://facebook.com>'s issuer (Verisign).

 From the X509CRL object, I got the serialNumber of the first
X509CRLEntry of the CRL.

BigInteger revokedSerialNumber;
         Set<X509CRLEntry> revokedSet = (Set<X509CRLEntry>)
x509CRL.getRevokedCertificates();
         Iterator iterator = revokedSet.iterator();
         if(iterator.hasNext()){
revokedSerialNumber = ((X509CRLEntry)iterator.next()).getSerialNumber()
         }

Next, I created a new X509Certificate with the above serialNumber.

             KeyPairGenerator generator =
KeyPairGenerator.getInstance("RSA", "BC");
             generator.initialize(1024, new SecureRandom());
             KeyPair pair = generator.generateKeyPair();

             X509V3CertificateGenerator certGen = new
X509V3CertificateGenerator();

             certGen.setSerialNumber(revokedSerialNumber);
             certGen.setIssuerDN(new X500Principal("CN=Revoked
Certificate"));
             certGen.setNotBefore(new Date(System.currentTimeMillis() -
50000));
             certGen.setNotAfter(new Date(System.currentTimeMillis() +
50000));
             certGen.setSubjectDN(new X500Principal("CN=Revoked
Certificate"));
             certGen.setPublicKey(pair.getPublic());
             certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");

             certGen.copyAndAddExtension(new
DERObjectIdentifier(X509Extensions.CRLDistributionPoints.getId()),
false, facebookCertificate);
             X509Certificate revokedCertificate =
certGen.generateX509Certificate(pair.getPrivate(), "BC");

So now I have an X509Certificate with a serialNumber which is in the
Certificate Revocation List.
Now I called

x509CRL.isRevoked(revokedCertificate)

But unfortunately this returns false. According to this [1], the logic
in isRevoked() method only checks if the serial number is in the crl. I
wonder why it still returns false. Is there any other way to solve my
problem? Please advice,

[1]
http://grepcode.com/file/repository.springsource.com/org.bouncycastle/com.springsource.org.bouncycastle.jce/1.39.0/org/bouncycastle/jce/provider/X509CRLObject.java#X509CRLObject.isRevoked%28java.security.cert.Certificate%29

Thanks,
Jeewantha


On Mon, Jul 15, 2013 at 10:58 PM, Arshad Noor
<[hidden email] <mailto:[hidden email]>> wrote:

    If you are doing client-certificate authenticated based SSL/TLS, then
    you already have the certificate as part of the SSL/TLS session
    establishment.

    If it is to verify digital signatures on documents/objects, the client
    certificate must be in the signature blob.

    In both cases, in order to read the CRL, you must have already had the
    client-certificate, so what else are you looking for?

    Arshad Noor
    StrongAuth, Inc.


    On 07/15/2013 05:33 AM, Jeewantha Dharmaparakrama wrote:




        On Mon, Jul 15, 2013 at 5:44 PM, Gurmeen Bindra
        <[hidden email] <mailto:[hidden email]>
        <mailto:[hidden email]__com

        <mailto:[hidden email]>>> wrote:

             On 15/07/13 12:40, Jeewantha Dharmaparakrama wrote:

                 Hi,

                 I have the following Set of X509CRLEntry objects.

                 Set<X509CRLEntry> revokedSet = (Set<X509CRLEntry>)
                 x509CRL.____getRevokedCertificates();




                 I need to create a revoked "X509Certificate" object
        from the
                 revokedSet. Is there a way to do this? Any help
        appreciated.


             It only gives a list serial numbers of revoked certificates.
             Serial numbers can then be used to get to the certificates
        as they
             are supposed to be unique.

        How do I get the certificate as an X509Certificate object from the
        serial number? Is there a way to do that? What I want is to get a
        revoked X509Certificate to test a feature I developed to check
        Certificate Revocation Status. I can get a non revoked
        Certificate from
        an existing https endpoint but I don't know how to get a revoked
        certificate. Please advice.
        Thanks.


                 Thanks,

                 Jeewantha.